I have tried th decrypt your pf.conf but it is over my head. As I
see it you have three options.
1> Make it easier so you can help yourself.
2) Ask misc at openbsd.org
3) Read even more about pf.conf so you can help yourself.
Here is my filter which does a good enough job for me.
--- Begin ---
# $Id: pf.conf,v 1.14 2002/07/12 10:47:40 janj Exp $
ext_if = "xl0"
int_if = "fxp0"
# Scrub
scrub in all
# Block and log by default.
block in log all
block out log all
block return-rst in log proto tcp all
block return-rst out log proto tcp all
block return-icmp in log proto udp all
block return-icmp out log proto udp all
# Loopback
pass in on lo0 all
pass out on lo0 all
# Local network
pass in on $int_if from 192.168.???.0/24 to any
pass out on $int_if from any to 192.168.???.0/24
# ICMP
# ping
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# TCP
pass in on $ext_if proto tcp from any to any port { auth, smtp, ssh }
pass out on $ext_if proto tcp all keep state
# UDP
pass in on $ext_if proto udp from any port { afs3-fileserver } to any port { 4711 }
pass out on $ext_if proto udp all keep state
--- End ---
Maybe I should let some more ICMP pass. Also what you seem to
whish for is blocking "blacknets" out so add a block out from {
black-net }. This is basically the same filter I use on my laptop
(except it only has the ext_if).
The ground rule that is behind pf is "Keep it simple and you will
ha less bugs". I think that is a very good rule when makeing the
filter.